DNS problems to RoadRunner - tcp vs udp
Tomas L. Byrnes
tomb at byrneit.net
Fri Jun 13 14:13:36 CDT 2008
First: if you don't allow TCP queries, then you're going to break lots
of recent applications for DNS.
Second: unless your server and resolver support EDNS0, there is no way
to increase the size of a UDP response, and even then, it's not large
enough for many applications (ENUM, TXT, APL, etc.).
TCP response to queries has been specified since RFC1035. The maximum
message size is limited to 65535 bytes (due to the 16bit message size
field before the header).
RE the Cisco questions: this would not be the first time Cisco lagged in
supporting enhanced services on the network.
> -----Original Message-----
> From: Jon Kibler [mailto:Jon.Kibler at aset.com]
> Sent: Friday, June 13, 2008 11:52 AM
> To: Kevin Oberman
> Cc: nanog at merit.edu
> Subject: Re: DNS problems to RoadRunner - tcp vs udp
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Kevin Oberman wrote:
> > If it does not, you should be very concerned. The RFCs
> (several, but
> > I'll point first to good old 1122) allow either TCP or UDP
> to be used
> > for any operation that will fit in a 512 byte transfer.
> (EDNS0 allows
> > larger UDP.)
> > TCP is to be used any time a truncated bit is set in a
> replay. If you
> > ever send a large reply that won't fit in 512 bytes, the
> request will
> > be repeated using a TCP connection. If you ignore these,
> your DNS is
> > broken. It is even allowed under the spec to start out with TCP, as
> > AXFR queries typically do.
> > Yes, I realize that this is fairly common and it does not
> break much,
> > but, should DNSSEC catch on, you might just find the breakage a bit
> > worse than it is today and there is no reason to have even
> the slight
> > breakage that is there now.
> Okay, I stand corrected. I was approaching this from a
> security perspective only, and apparently based on incorrect
> But this leaves me with a couple of questions:
> Various hardening documents for Cisco routers specify the
> best practices are to only allow 53/tcp connections to/from
> secondary name servers.
> Plus, from all I can tell, Cisco's 'ip inspect dns' CBAC
> appears to only handle UDP data connections and anything TCP
> would be denied. From what you are saying, the hardening
> recommendations are wrong and that CBAC may break some DNS
> responses. Is this correct?
> Also, other than "That's what the RFCs call for," why use TCP
> for data exchange instead of larger UDP packets?
> Jon Kibler
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC USA
> o: 843-849-8214
> c: 843-224-2494
> s: 843-564-4224
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
More information about the NANOG